Deloitte Cyber Security Bulletin

Security Intelligence

Google Docs Phishing CampaignSource: us-cert.gov

A phishing campaign that affected Google Docs users has been reported. The campaign used spoofed email addresses to target users with emails purporting to share a document for collaboration. Once the targeted users accepted invitations, they were encouraged to allow the phishing program access to their email accounts. Google has taken action to protect users, including removing the fake Google Docs pages and disabling the offending accounts.

Microsoft has announced the release of Advanced Data Governance and Threat Intelligence tools for Office 365 and also made significant updates to its Advanced Threat Protection (ATP). These security enhancements will help to bolster Office 365’s security and compliance capabilities by providing data on insights, trends and threats.

Google making life difficult for ransomware to thrive on androidSource: threatpost.com

Google announced at the Kaspersky Lab Security Analyst Summit of several security enhancements and strategy for fending off ransomware threats on Android. Google has adopted a combination of depreciated APIs, functionality rollbacks and also released a new developer preview, Android O, which comprises a new system enhancement aimed at making Android impenetrable to ransomware.

An investigation conducted by the Interpol resulted in the identification of nearly 9,000 command and control (C&C) servers located in Asia (Indonesia, Malaysia, Myanmar, Philippines, Singapore, Thailand, and Vietnam). The law enforcement body operated with the support of private partners, including Kaspersky Lab, Cyber Defense Institute, Booz Allen Hamilton, British Telecom, Fortinet and Palo Alto Networks.

Microsoft is making it harder for cyber-attackers to target web applications hosted on its Azure cloud computing platform by adding a Web Application Firewall. With the majority of websites and services moving into one of the big 3 cloud providers (AWS, Google or Azure); this has been considered a good move. A WAF can mitigate against a lot of attacks coming from the same few patterns (SQL Injection, Cross-site scripting (XSS) etc.) with minimal false positives. With the addition of the Web Application Firewall customers can now fortify their application and reduce the risk of attacks.

MasterCard recently unveiled a new payment card with an embedded fingerprint sensor and therefore a whole new layer of security. By placing the sensor directly on the card, it ensures the person who owns the card must be present with their finger on the card to complete a transaction. That is, of course, assuming the store you’re in supports the feature through its card terminals. MasterCard says no new hardware is required for authentication to work.

Attacks and Data Breaches

Hackers plunder bank accounts via SS7 TFA flawSource: scmagazine.com

O2 has admitted that thieves exploited flaws in SS7 to steal money from victim’s bank accounts. Hackers used SS7 to redirect text messages banks used to send one-time passwords to customers. Instead of the text being delivered to the bank account holder’s phone, they were diverted to phone numbers under the control of hackers. These hackers then used mTANs—short for “mobile transaction authentication numbers” to take money out of victims’ accounts.

Scottrade Bank confirmed that a technical incident has exposed 20,000 customer records. A 60GB MSSQL database was accidentally left open online. The incident occurred when its IT services company Genpact uploaded a sensitive data to an Amazon-hosted server. Unfortunately, the company didn’t protect the archive leaving it exposed online without protection.

BEC scammers picked off $5B, FBI saysSource: scmagazine.com

Business E-mail Compromise (BEC) scams have now raked in a total of $5 billion, according to the Federal Bureau of Investigation (FBI).

The FBI report revealed 40,203 domestic and international incidents occurred from October 2013 to December 2016 with 22,292 U.S. victims. Total losses in the U.S. were nearly $1.6 billion.

WikiLeaks has published a new document included in the Vault7 archive containing technical details about another hacking tool allegedly used by the U.S. Central Intelligence Agency (CIA). This time, the organization has published information on a tool designed to record audio via the built-in microphone of some Samsung smart TVs. The tool is the Weeping Angel, it was mentioned the first time Wikileaks published information related to the Vault 7. The Weeping Angel tool is used by the cyber-spies to spy on targets through Samsung smart TVs.

Tens of thousands of home routers have been hacked and used to power cyber-attacks on WordPress websites.

A spike was observed in the number of attacks originated from Algeria and that targeted customer websites. Further investigation revealed that the attacks were launched from more than 10,000 IP addresses, most of which were associated with state-owned telecoms company Telecom Algeria.

The gang responsible for the Dridex computer Trojan used an unpatched Microsoft Word vulnerability to dispense malicious documents to tens of millions of customers. The attackers exploited this flaw by leveraging a logic bug in the Windows Object Linking and Embedding (OLE) feature of Microsoft Office. The exploit’s existence was discovered by security researchers from antivirus vendor McAfee, but it was reported that directed attacks have been occurring since January.

McAfee LinkedIn page hijackedSource: csoonline.com

Top Computer Security software provider, McAfee’s LinkedIn presence was hacked by an unknown person or group of individuals. The Account hijackers defaced the company’s business page with random remarks. How the individual(s) obtained access to McAfee’s LinkedIn account is unknown, though someone claiming a connection to the incident says the key was recycled passwords. The incident underlined the risks in shared admin access on social media and recycled credentials.

The popular security expert Chris Vickery has discovered a new data breach that affected the AMP online trading firm that exposed thousands of files, including credit reports, passport scans, and customer chat logs. This specific incident is notable for the amount of money that passes through AMP’s systems.

Atlassian HipChat group chat service hackedSource: securityaffairs.co

Unknown hackers broke into a cloud server of Atlassian and stole a huge amount of data, including group chat logs. According to Atlassian, attackers exploited a vulnerability in a “popular third-party” software library used by its HipChat.com service, the company did not reveal the name of the library. However, Atlassian resets user passwords for its group chat service HipChat after it notified its customers of the data breach.

Payday loan company Wonga breachedSource: nakedsecurity.sophos.com

Payday loan firm Wonga has suffered a data breach affecting up to 245,000 customers in the U.K. A further 25,000 customers in Poland may also be affected.

A notification on Wonga’s U.K. website currently warns of “illegal and unauthorised access to limited personal data,” and says affected customers have been emailed about the breach. It says it does not believe customers’ Wonga account passwords were compromised but suggests concerned users change their password anyway. There are no details about how the breach happened at this point, with Wonga saying only on its website that it is “urgently working to establish further details”.

Various users around the world that make use of Webroot’s endpoint security product, consumers and businesses alike, had a shocking and unwanted surprise when the program started flagging Windows files as malicious. The company has however come up with a manual fix to address the issue, however many users still had problems recovering their affected systems. The problem is what is widely known in the antivirus industry as a “false positive”, this happens when a clean file is flagged as malicious and is blocked or deleted.

RawPOS malware up to new tricksSource: scmagazine.com

Researchers from Trend Micro have reported that there is an increased threat of identity theft from RawPOS. The malware has evolved to identify and gather credit card magnetic stripe data as well as key-loggers and backdoor by modifying the regex data. It has also been recently discovered that the malware also has a regex that identifies driver’s license.

The Mirai botnet is back and includes a Bitcoin mining componentSource: securityaffairs.co

The Mirai botnet was first spotted in august 2016, it was specifically designed to compromise vulnerable or poorly protected IoT. Once Mirai malware compromises an IoT device it recruits it into a botnet primarily used for launching DDoS attacks, such as the one that hit Dyn DNS service.

However, the Mirai source code was leaked and threat actors in the wild started customizing their Mirai botnet. The latest variant of the Mirai botnet spotted in the wild by IBM researchers’ implements further capabilities, which includes a component for Bitcoin mining.

Linksys routers vulnerable to DDoS attacksSource: pcmag.com

A flaw has been recently discovered in the Linksys routers. Linksys identified several vulnerabilities in its router firmware that allow hackers to bypass authentication and perform denial of service (DDoS) attacks. The flaws in the routers’ firmware could let hacker’s access configuration settings and execute remote commands. The company said it is working on a fix for the vulnerabilities.

A word press attack was recently discovered by researchers, the attack injects malicious JavaScript code into almost every .js file it can find. The obfuscated malicious code can be recognised by a hex-encoded string and is usually appended to the legitimate content of the files. This code loads another script from a third-party server which then redirects first-time visitors to sketchy spam sites (e.g. financial scams and get-rich-quick schemes) via an affiliate link from a shady ad network.

A new Android malware family is able to blend in with normal network traffic and avoid detection by encrypting its payloads, in order to access internal networks. The backdoor, known as MilkyDoor, has so far affected 200 unique Android apps available on the official Google Play Store. It appears criminals seized most if not all of these apps, repackaged them with malware, and uploaded them to the Play Store.

A new breed of DDoS attack on the riseSource: darkreading.com

Akamai Networks reported at least 50 DDoS attacks which involved abusing connectionless LDAP, a version of the Lightweight Directory Access Protocol. Since last October, the Content delivery network and cloud services provider identified and mitigated this new breed of DDos attacks.

A new spam campaign where ransomware is hidden in a word document which is in turn nested in a PDF, has recently been discovered by the SophosLabs. Typically, the ransomware is pushed out in form of an email with a PDF attachment, which once opened, downloads a MS word document in form of a macro. This in turn forces the system to run VBA macro which downloads and runs the crypto ransomware. To prevent this, users are advised to back up and patch systems regularly.

After May 9, 2017, devices running Windows 10 version 1507 will no longer receive security updates. Users and administrators are to review Microsoft’s Windows 10 version 1507 posts for more information and to apply necessary updates.

Google Releases Security Updates for ChromeSource: securityaffairs.co

Google has released Chrome version 58.0.3029.96 for Windows, Mac, and Linux. This version addresses a vulnerability that an attacker could exploit to cause a denial-of-service condition. Users and administrators are to review the Chrome page and apply the necessary updates.

Microsoft says it has fixed exploits leaked by shadow Brokers in MarchSource: securityaffairs.co

Security experts at Microsoft announces that most of the Windows vulnerabilities exploited by the hacking tools released by Shadow Brokers have been patched in last month’s Patch Tuesday update. The Shadow Brokers hacker group released some portion of the alleged archive of the NSA containing hacking tools and exploits. The tools worked against almost all versions of Windows, from Windows 2000 and XP to Windows 7 and 8, and Server 2000, 2003, 2008, 2008 R2 and 2012, except Windows 10 and Windows Server 2016.

According to Project zero researcher, Gal Beniamini, Broadcom has patched the vulnerabilities in its chipset, and has communicated these fixes to vendors. Google and Apple have responded by developing fixes for Android and iOS respectively. The vulnerabilities were stack overflows and heap overflows that allowed peer-to-peer exchange of data without going through the access point.

Oracle, during its recent quarterly patch update, recorded its largest-ever number of security updates. Oracle applied patches to vulnerabilities which cut across a wide range of oracle products and services, including patches for a vulnerability in the Apache Struts framework and Solaris exploit. The majority of the fixes are recorded for Oracle business-critical applications and database server. Oracle disclosed that out of 299 vulnerabilities, over 100 are remotely exploitable.

An updated patch for a code-injection vulnerability affecting the TREX search engine has been integrated into more than a dozen SAP products. The flaw was originally found in 2015 and patched in the SAP HANA database. However, it was discovered that the original patch was incomplete as the flaw could still be exploited through TREXNet. As part of SAP’s programmed patch release, the flaw was patched along with other vulnerabilities but the TREX vulnerability was given the highest criticality rating.

Microsoft have reportedly recently patched a previously undisclosed zero day word vulnerability used by attackers to install a variety of malware on users’ computers.

As stated in its bulletin, Microsoft have designed this security update to combat against vulnerabilities in Microsoft office that could allow for remote code execution when a specially crafted file is opened.

Adobe Releases Security Updates for ColdFusionSource: us-cert.gov

Adobe has released security updates to address a vulnerability in ColdFusion. Exploitation of this vulnerability may allow a remote attacker to take control of an affected website. Users and administrators are encouraged to review Adobe Security Bulletin APSB17-14 and apply the necessary updates.

Microsoft Releases Critical Security UpdateSource: us-cert.gov

Microsoft released a critical out-of-band security update addressing a vulnerability in the Microsoft Malware Protection Engine. A remote attacker could exploit this vulnerability to take control of an affected system. Users and administrators are encouraged to review Microsoft Security Advisory 4022344 for details and apply the necessary update.

Mozilla Releases Security UpdatesSource: us-cert.gov

Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system. It is encouraged that users and administrators review the Mozilla Security Advisories for Firefox 53.0.2 and Firefox ESR 52.1.1 and apply the necessary updates.